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DETAILED ACTION 

Response to Arguments 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1 .17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.1 14. Applicant's submission filed on 4/7/2008 has been entered. 

2. Applicant's arguments filed 4/7/2008 have been fully considered but they are not 
persuasive. Applicant asserts that Ponchon teaches away from expanded buffering because 
Ponchon teaches discarding fragments when anomalies are detected. Response: pp. 13 and 14. 
While Examiner agrees that references cannot be combined where one of the references teaches 
away from the combination, Examiner asserts that to teach away from a proposed combination a 
reference must do more than merely set forth an alternative to the combination. For example, 
when providing a parenthetical for In re Grasselli, section 2145 of the MPEP states that the 
proposed combination was "expressly excluded" by one of the references. MPEP § 2145(X) 
(citing to In re Grasselli, 713 F.2d 731, 743, 218 USPQ 769, 779 (Fed. Cir. 1983)). By analogy, 
for Ponchon to teach away from the proposed combination, Ponchon would have to expressly 
state that expanded buffering should not be used when dealing with anomalous fragments. No 
such teaching is present in Ponchon. As such, Examiner asserts that Ponchon does not teach 
away from using expanded buffering to deal with anomalous fragments. 

3. Applicant also asserts that Cantrell fails to disclose "expanded buffering of fragments 
contained in said fragmented network traffic," as called for in claim 1, because Cantrell discloses 
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assembling fragments into ''normalized" packets. Response: pp. 13-14. Examiner respectfully 
disagrees that Cantrell fails to disclose expanded buffering for the fragments. Examiner submits 
that by using expanded buffering to store the "normalized" packet Cantrell also uses expanded 
buffering to store the fragments because the packet that is assembled from the fragments also 
necessarily will contain the fragments. Therefore, Examiner maintains that Cantrell discloses 
"expanded buffering of fragments contained in said fragmented network traffic". 

4. In view of the foregoing, Examiner maintains that the claims are obvious in view of the 
cited prior art. 

Claim Rejections - 35 USC § 101 

5. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

6. Claim 21 is rejected under 35 U.S.C. 101 because the claimed invention is directed to 
non-statutory subject matter. Claim 21 recites: "A computer program product". As such, claim 
21 claims a program, per se. A program, per se, is deemed to be "functional descriptive 
material" that has not been claimed in a manner that imparts functionality when employed as a 
computer component, such that the claims are currently directed to an abstract idea. See MPEP § 
2106.01 . Current PTO practice requires computer programs to be claimed using the following 
format: "A computer-readable medium encoded with computer instructions which when 
executed cause the computer to perform a method, the method comprising the steps of. Thus, 
the claim should be directed to the computer readable medium, rather than the program stored on 
the computer readable medium. 
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Claim Rejections - 35 USC §103 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

8. Claims 1-16 and 18-21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Pochon et al. (US 2003/0048793), of record, in view of Cantrell et al. (US 2004/0093513). 

9. Regarding claims 1, 20, and 21, Pochon discloses a method for assembling fragmented 
network traffic, comprising: detecting in the fragmented network traffic an anomaly that could 
result in two or more fragments contained in the fragmented network traffic being reassembled at 
a monitoring node to obtain a reassembled data flow that is different than a corresponding data as 
reassembled at a destination node to which the fragmented network traffic is addressed flfl| 
[0089]-[0093], esp. t [0093], where an NIDS checks to determine whether there is a conflict 
between previously received fragments and a currently received fragment, i.e. check to 
determine if there is an anomaly, see also Iffl [0022]-[0026]); and performing further processing 
on the fragmented network traffic having the anomaly (]] [0093], where the fragmented network 
traffic having the anomaly is discarded). 

Pochon does not expressly disclose initiating in response to detecting said anomaly 
expanded buffering of fragments contained in said fragmented network traffic. Rather, Pochon 
discloses that in response to detecting an anomaly the fragments are discarded fl[ [0093]). 
Cantrell teaches, in a system for identifying anomalies in fragmented network traffic (]( [0026]), 
that if a "suspicious" packet is identified, i.e. an anomaly is identified, then the packet is set aside 
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for a more careful examination (]f [0057]), where this permits the system to quickly identify 
suspicious packets at line rate and then take extra time to detect whether the suspicious packet is 
benign or malicious to permit the return of benign packets to the transmission line flf [0061], see 
also Tl [0063]). In addition, Cantrell discloses that the more careful examination includes the use 
of expanded buffering flf [0065], where the more careful examination includes comparing a copy 
of the suspicious packet to various signatures to determine if the suspicious packet is malicious, 
see also Tflf [0026] and [0062]- [0065], which discloses that the intrusion detection system can 
consider all options). It is implicit that this "expanded buffering" includes the fragments since 
the fragments are used to reconstruct the data stream. Therefore it would have been obvious to 
one of ordinary skill in the art at the time of the invention to initiate, in response to detecting said 
anomaly, expanded buffering of fragments contained in the fragmented network traffic to allow a 
more careful examination of the suspicious packet to determine whether the packet is benign or 
malicious. 

10. Regarding claims 2 and 18, Pochon in view of Cantrell discloses that detecting an 
anomaly comprises determining that said two or more fragments overlap (Pochon: [0022]- 
[0026], see also Cantrell: If [0026]). 

1 1 . Regarding claim 3, Pochon in view of Cantrell discloses that determining that said two or 
more fragments overlap comprises reading a header value associated with one of the fragments 
(Pochon: [009 1]-[0092]). 

12. Regarding claim 4, Pochon in view of Cantrell discloses that the header value comprises 
an offset value (Pochon: ^ [0091]-[0092]). 
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13. Regarding claims 5 and 19, Pochon in view of Cantrell discloses that detecting an 
anomaly comprises determining that said two or more fragments overlap and that at least two of 
said fragments comprise different data for an overlapping portion of said fragments (Pochon: 
[0022]-[0026], see also Cantrell: t [0026]). 

14. Regarding claim 6, Pochon in view of Cantrell discloses that performing further 
processing comprises determining configuration information associated with said destination 
node (Cantrell: K [0065], where a database of information pertaining to the various machines on 
the network is located in the intrusion detection system, sec also Cantrell: [0026] and [0062]- 
[0065], where the intrusion detection system determines all options and looks at various 
protocols when processing the packet). 

15. Regarding claim 7, Pochon in view of Cantrell does not expressly disclose that 
determining configuration information comprises querying the destination node; however, 
Pochon in view of Cantrell does disclose that determining configuration information comprises 
gathering such information in any known ways (Cantrell: ]] [0065]). Examiner takes official 
notice that querying a node is a known way to gather information on the node. As such, it would 
have been obvious to one of ordinary skill in the art at the time of the invention to query a 
destination node since this is a known way to gather information on a node. 

16. Regarding claim 8, Pochon in view of Cantrell discloses that determining configuration 
information comprises querying an information base (Cantrell: ]] [0065]). 

17. Regarding claim 9, Pochon in view of Cantrell discloses that performing further 
processing comprises reassembling the fragmented network traffic (Pochon: [0039]-[0040]) 
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to generate more than one variant of the reassembled data flow (Cantrell: [0026] and [0062]- 
[0065]). 

18. Regarding claim 10, Pochon in view of Cantrell discloses processing the anomaly to 
determine whether the fragmented network traffic is associated with a threat (Cantrell: Iflf 
[0065]). 

19. Regarding claim 11, Pochon in view of Cantrell discloses performing an action on the 
fragmented network traffic based on whether the fragmented network traffic is associated with a 
threat (Cantrell: K [0063]). 

20. Regarding claim 12, Pochon in view of Cantrell discloses discarding at least a portion of 
the fragmented network traffic if the fragmented network traffic is associated with a threat 
(Cantrell: If [0063]). 

21 . Regarding claim 13, Pochon in view of Cantrell discloses copying one or more fragments 
comprising the fragmented network traffic to a buffer (Cantrell: H [0065], where it is implicit that 
the traffic is copied to a buffer). 

22. Regarding claim 14, Pochon in view of Cantrell discloses that performing further 
processing comprises sending an alert (Cantrell: U [0063]). 

23. Regarding claim 15, Pochon in view of Cantrell discloses that performing further 
processing comprises determining whether the fragmented network traffic should be blocked 
(Cantrell: If [0063]). 

24. Regarding claim 16, Pochon in view of Cantrell discloses that performing further 
processing comprises determining whether the fragmented network traffic should be forwarded 
to the destination node (Cantrell: If [0063]). 
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Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to DANIEL J. RYMAN whose telephone number is (571)272-3152. 
The examiner can normally be reached on Mon.-Fri. 8:00am-4:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Lynn Feild can be reached on (571)272-2092. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Daniel J. Ryman 
Primary Examiner 
Art Unit 2616 

/Daniel J. Ryman/ 

Primary Examiner, Art Unit 2616 



